CSE 127: Computer Security

Lecture: Tue and Thu 11:00 A.M. to 12:20 P.M. in Center Hall 105

Discussion: Wed 4:00 P.M. in Center Hall 109

Instructor: Kirill Levchenko klevchen@cs.ucsd.edu (public key)

TAs: Ian Foster and Jake Maskiewicz cs127f1@ieng6.ucsd.edu (public key)

Piazza: https://piazza.com/ucsd/fall2014/cse127/home

Course Syllabus

Written and Programming Assignments

With the exception of the first assignment, all assignments must be submitted via email to cs127f1@ieng6.ucsd.edu. Your submission must be encrypted to the TA public key and signed using your PGP key from the first assignment.

1Oct 8 at 5pmAssignment 1.
2Oct 16 at 11amAssignment 2 (rev. 3), hw2skel.tgz, hw2vm.torrent.
3Oct 23 at 10pmAssignment 3.
4Nov 4 at 10pmAssignment 4 (rev. 4), hw4skel.tgz (rev. 2), hw4vm.torrent, dicussion section slides.
5Nov 25 at 10pmAssignment 5 (rev. 3), hw5skel.tgz, hw5vm.torrent.
6Dec 4 at 10pmAssignment 6
6Dec 12 at 10pmAssignment 7 (rev. 2)

Lectures and Reading Assignments

All chapter references in readings are to Ross Anderson's Security Engineering.

DateTopicReading Assignment
Oct 2IntroductionNo Reading
Oct 7Security BasicsCh. 1 in Anderson,
Saltzer and Schroeder, "The Protection of Information in Computer Systems," Section I only.
Oct 9Security ModelsCh. 4 Sections 4.1 through 4.2.6 in Anderson,
PostgreSQL 9.3 Manual: GRANT statement, Sec. 5.6 Privileges, Sec. 20.6 Role Membership;
Linux File Security;
AppArmor Overview, profile language.
Oct 14Multilevel SecurityCh. 8 Sections 8.1, 8.2, 8.3, and 8.6 in Anderson,
Enck et al. "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones."
Oct 16Threat ModelingWatch Akshay Aggarwal's introduction to threat modeling: video and slides.
For reference only: CAPEC list version 2.6.
Oct 21Symmetric CryptographyCryptography 101 - The Basics by D. Brumley,
Ch. 5 Section 5.1 to 5.6 in Anderson.
Oct 23Asymmetric CryptographyCh. 5 Section 5.7 to 5.8 in Anderson.
Oct 28Public Key InfrastructureA Short Tutorial on Distributed PKI from Isode Ltd.,
PGP Web of Trust: Core Concepts Behind Trusted Communication by K. Ryabitsev,
Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure by C. Ellison and B. Schneier.
Information Security: Before and After Public Key Cryptography by Whitfield Diffie (optional).
Oct 30Identity and AuthenticationCh. 2 Sections 2.4 through 2.4.5, RFC 5849 OAuth 1.0 (Sec. 1 only), RFC 4226: HOTP (Sec. 1 through 5).
Nov 4Laws and EthicsThe Computer Fraud and Abuse Act: Hacking Into the Authorization Debate by Alden Anderson (Section I only), Wikipedia: Digital Millennium Copyright Act, Fact Sheet 9: Wiretapping and Eavesdropping on Telephone Calls from the Privacy Rights Clearinghouse, Cybercrime Reference (for reference only)
Nov 6Midterm ExamNo Reading
Nov 11Veterans DayNo Class
Nov 13Buffer OverflowsSmashing The Stack For Fun And Profit by Aleph One.
Nov 18Buffer Overflows ContinuedBuffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Cowan et al., ASLR for Linux from the PaX project, NOEXEC for Linux from the PaX project, Printf (reference for HW 5).
Nov 20Web SecurityXSS Game, CSRF from OWASP, Same Origin Policy from Google (read through "Same-origin policy for cookies").
Nov 25SQL InjectionPHP Manual: SQL Injection,
Nov 27ThanksgivingNo Class
Dec 2Advanced Web SecurityFrom the Aether to the Ethernet - Attacking the Internet using Broadcast Digital Television by Y. Oren and A. D. Keromytis, Clickjacking by R Hansen and J. Grossman
Dec 4Network SecurityA Look Back at Security Problems in the TCP/IP Protocol Suite by S. Bellovin
Dec 9Network SecurityAn Illustrated Guide to the Kaminsky DNS Vulnerability by S. Friedl
Dec 11ReviewNo Reading
Dec 17Final Exam11:30am to 2:30pm, Location TBA